[ppml] the "other" policy proposals

Leo Bicknell bicknell at ufp.org
Mon Apr 9 09:01:55 EDT 2007


I'm going to try and stay strict to Marty's technical issues.

1) "Certificates are more commercial."  While it's true more
   businesses use certificates and that more business software is
   likely to support X.509 that doesn't expose the real mechanics
   of the situation.  A vast majority of businesses create their
   own CA which they trust internally (generally by pre-loading on
   PC's).  These internal CA's generally aren't seen outside the
   company at all, and if they are there's no good mechanism to
   trust them as valid.

   Specifically before someone asks, it's likely that a company
   will purchase a commercial certificate for www.company.com, while
   using a internally run and operated CA internally with a wholly
   separate certificate.  I believe this is driven by a combination
   of cost and administration difficulty.

2) "PGP is hard / costly to implement."  PGP is available completely
   for free even for commercial use, one instance is at
   http://www.gnupg.org/.  While I would agree there is less corporate
   support for PGP, there is a significantly higher use of PGP by
   Network Technologists due to a long history of being used for
   Domain, Numbering Resources and other Internet purposes.  I also
   personally believe this will be the method of choice for automated
   tools since the command line clients for PGP are generally easier
   to incorporate into such home-grown solutions.

   I don't believe ARIN can implement this feature for free, however
   I do believe that it should be relatively inexpensive and easy
   for ARIN to implement.

Now, to the real point:

ARIN resources are not properly secured from unauthorized changes.

We need to REMOVE Mail-From entirely.  It is not secure.  I suspect
there is already some abuse going on, and as we move to IPv4 exhaustion
it will only get worse.  The sooner we start the better.

I see no reason why ARIN can't cost effectively support X.509
Certificates, PGP Authentication, and high grade SSL web based
authentication.  (And that web authentication could be both X.509 based,
as well as password, token, or other methods.)

I fully support this proposal as an excellent first step.

-- 
       Leo Bicknell - bicknell at ufp.org - CCIE 3440
        PGP keys at http://www.ufp.org/~bicknell/
Read TMBG List - tmbg-list-request at tmbg.org, www.tmbg.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
URL: <https://lists.arin.net/pipermail/arin-ppml/attachments/20070409/b294034f/attachment-0001.sig>


More information about the ARIN-PPML mailing list